P
US12229255B2ActiveUtilityPatentIndex 48

Methods and systems for multi-tool orchestration

Assignee: CAPITAL ONE SERVICES LLCPriority: Oct 31, 2018Filed: May 9, 2022Granted: Feb 18, 2025
Est. expiryOct 31, 2038(~12.3 yrs left)· nominal 20-yr term from priority
Inventors:YOUNGBERG ADAMFILBEY DAVIDFERNANDO KISHORE PRABAKARANKENT STEPHEN
G06F 21/562G06F 11/3604G06F 2221/033G06F 21/105G06F 9/44536G06F 21/577G06F 9/52G06F 21/566G06F 21/563G06F 21/554
48
PatentIndex Score
0
Cited by
80
References
20
Claims

Abstract

A system for performing code security scan includes a non-transitory computer readable medium and a processor. The non-transitory computer readable medium stores a plurality of identifiers each identifying a software security analysis tool of one of several categories, including SAST, DAST and OSA tools. The processor receives an identification of code to be scanned. The processor selects at least two identifiers from the plurality of identifiers. The at least two identifiers identify at least two select software security analysis tools for execution on the identified code. The processor receives an execution result from each select software security analysis tool after performing execution on the identified code. The processor aggregates the execution result from each select software security analysis tool. A user interface displays an aggregation of the execution result from each select software security analysis tool.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
       1. A system for performing code security scan, comprising:
 one or more processors; 
 a graphical user interface (GUI); and 
 memory storing instructions that, when executed by the one or more processors, cause the one or more processors to:
 receive code to be scanned; 
 analyze the code to be scanned with two or more software security analysis tools, each of the two or more software security analysis tools selected from a different category of a plurality of categories comprising a first category for performing Static Application Security Testing (SAST), a second category for performing Dynamic Application Security Testing (DAST), and a third category for performing Interactive Software Security Testing (IAST); 
 display, in the GUI, status information of the analysis from each of the two or more software security analysis tools, the status information comprising a selectable button to configure each of the two or more software security analysis tools; 
 receive a result from each of the two or more software security analysis tools; and 
 aggregate the result from each of the two or more software security analysis tools. 
 
 
     
     
       2. The system of  claim 1 , wherein the instructions further cause the one or more processors to:
 determine that a license status is expired for at least one of the two or more software security analysis tools; 
 generate a license renewal request for the at least one software security analysis tool; 
 send, to a licensor of the at least one software security analysis tool, the license renewal request; 
 receive, from the licensor, a license renewal for the at least one software security analysis tool; and 
 update the license status for the at least one software security analysis tool to a renewed license status. 
 
     
     
       3. The system of  claim 2 , wherein the status information further comprises the license status, the licensor, and the renewed license status. 
     
     
       4. The system of  claim 1 , wherein the instructions further cause the one or more processors to:
 display a request on the GUI comprising the first category, the second category, and the third category for the two or more software security analysis tools selected from a different category; and 
 receive a selection of the two or more software security analysis tools for execution on the code. 
 
     
     
       5. The system of  claim 1 , wherein the aggregation of the result from each of the two or more software security analysis tools displayed in the GUI comprises a severity, a category, and a name of the result. 
     
     
       6. The system of  claim 1 , wherein the instructions further cause the one or more processors to:
 display, on the GUI, (i) the aggregation from each of the two or more software security analysis tools, and (ii) a confidence score for each of the two or more software security analysis tools; 
 identify at least one false positive result; and 
 instruct an additional software security analysis tool from each category to perform a security scan on the code associated with the false positive result. 
 
     
     
       7. The system of  claim 1 , wherein the aggregation of the result from each software security 
       analysis tool displayed in the GUI further comprises:
 a first score for a combined static analysis result; 
 a second score for open source license analysis; and 
 a third score for open source known vulnerabilities. 
 
     
     
       8. The system of  claim 1 , further comprising:
 a scan database storing information of historical scan activity performed by each category of software security analysis tools. 
 
     
     
       9. The system of  claim 8 , wherein the instructions further cause the one or more processors to: receive a request for historical scan activity corresponding to one software security analysis tool from the two or more software security analysis tools; and provide, on the GUI, the historical scan activity. 
     
     
       10. The system of  claim 1 , wherein the status information comprises an execution progress for each of the two or more software security analysis tools, the execution progress comprising one or more of: completed, in progress, and queued. 
     
     
       11. A multi-tool orchestration system comprising:
 one or more processors; 
 a graphical user interface (GUI); and 
 memory storing instructions that, when executed by the one or more processors, cause the one or more processors to:
 receive, from a host server, an analysis request comprising software code to be scanned and two or more software security analysis tools to perform the scan, each of the two or more software security analysis tools selected from a different category of a plurality of categories comprising a first category for performing Static Application Security Testing (SAST), a second category for performing Dynamic Application Security Testing (DAST), and a third category for performing Interactive Software Security Testing (IAST); 
 analyze, with the two or more software security analysis tools, the software code; 
 display, on the GUI, status information of the analysis from each of the two or more software security analysis tools, the status information comprising a selectable button to configure each of the two or more software security analysis tools; 
 aggregate the analysis from each of the two or more software security analysis tools to create an aggregate result; and 
 provide, to the host server, the aggregate result for a presentation on a multi-tool security analysis website. 
 
 
     
     
       12. The system of  claim 11 , wherein the instructions further cause the one or more processors to:
 determine that a license status is expired for at least one of the two or more software security analysis tools; 
 generate a license renewal request for the at least one software security analysis tool; 
 send, to a licensor of the at least one software security analysis tool, the license renewal request; 
 receive, from the licensor, a license renewal for the at least one software security analysis tool; and 
 update the license status for the at least one software security analysis tool to a renewed license status. 
 
     
     
       13. The system of  claim 12 , wherein the status information further comprises the license status, the licensor, and the renewed license status. 
     
     
       14. The system of  claim 11 , wherein the aggregation of the analysis from each software 
       security analysis tool displayed on the GUI further comprises:
 a first score for a combined static analysis result; 
 a second score for open source license analysis; and 
 a third score for open source known vulnerabilities. 
 
     
     
       15. The system of  claim 11 , further comprising:
 a scan database storing historical scan activity performed by each category of software security analysis tools. 
 
     
     
       16. The system of  claim 15 , wherein the instructions further cause the one or more processors 
       to:
 receive a request for historical scan activity corresponding to one software security analysis tool from the two or more software security analysis tools; and 
 provide, on the GUI, the historical scan activity. 
 
     
     
       17. The system of  claim 11 , wherein the instructions further cause the one or more processors to:
 receive, from the host server, user configuration settings corresponding to at least one of the two or more software security analysis tools; and 
 configure the at least one software security analysis tool based on the user configuration settings. 
 
     
     
       18. A multi-tool security analysis system comprising:
 one or more processors; 
 a graphical user interface (GUI); and 
 memory storing instructions that, when executed by the one or more processors, cause the one or more processors to:
 receive an analysis request comprising software code to be scanned and two or more software security analysis tools, each of the two or more software security analysis tools being selected from different categories of a plurality of categories comprising a first category for performing Static Application Security Testing (SAST), a second category for performing Dynamic Application Security Testing (DAST), and a third category for performing Interactive Software Security Testing (IAST); 
 analyze, with the two or more software security analysis tools, the software code; 
 display, in the GUI, status information of the analysis from each of the two or more software security analysis tools, the status information comprising a selectable button to configure each of the two or more software security analysis tools; 
 receive, from the GUI, user configuration settings corresponding to at least one of the two or more software security analysis tools; 
 configure the at least one of the two or more software security analysis tools based on the user configuration settings; 
 aggregate a vendor-specific output from each of the two or more software security analysis tools to create an aggregate result; 
 send the aggregate result to a multi-tool security analysis website for presentation; and 
 display, on the GUI, (i) the aggregate result and (ii) a confidence score for each of the two or more software security analysis tools. 
 
 
     
     
       19. The system of  claim 18 , wherein the instructions further cause the one or more processors to:
 determine that a license status is expired at least one of the two or more software security analysis tools; 
 generate a license renewal request for the at least one software security analysis tool; 
 send, to a licensor of the at least one software security analysis tool, the license renewal request; 
 receive, from the licensor, a license renewal for the at least one software security analysis tool; and 
 update the license status for the at least one software security analysis tool to a renewed license status. 
 
     
     
       20. The system of  claim 18 , wherein the instructions further cause the one or more processors 
       to:
 receive a request for historical scan activity corresponding to one software security analysis tool of the two or more software security analysis tools; and 
 provide, on the GUI, the historical scan activity.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.